A not-for-profit community health center that provides health care for low-income and uninsured patients experienced two ransomware attacks in a four-month period.
The first attack shut down computers for three weeks while the center rebuilt its systems from backups, and did not pay the ransom. This approach is consistent with industry advice for two reasons. First, there is no guarantee that the data will be reinstated after ransom is paid. Second, paying ransom encourages future ransomware attacks.
The second attack likewise locked the center out of its medical records. This time, after contacting consultants and the FBI, the health center decided to pay the $70,000 ransom, instead of rebuilding its computer system from scratch.
In addition to the $70,000 ransom, the health center has spent more than $1,000,000 addressing the ransomware attack.
Are you prepared for a ransomware attack?
Whether you pay the ransom or not, a ransomware attack is extremely costly – both in terms of financial costs, and the non-financial costs to your business. Earlier this year, an ENT practice permanently closed after ransomware deleted and overwrote its records, bills and appointments – and the backups. Without records and the ability to schedule appointments, care will suffer, and employees will be strained.
Use your HIPAA Security Risk Analysis to identify vulnerabilities to your sources of electronic PHI, and mitigate those risks – including the risk of ransomware. Maintain an off-site backup of your ePHI, such as a cloud backup.
If you need help creating a ransomware defense, the US Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) provides precautions and best practices.